Friday, December 21, 2007

UAC: Vista UAC vulnerabilities

I just found out about an important security update for Vista: KB943078. Betanews published the related article Microsoft acknowledges Vista kernel elevation vulnerability on December 14, 2007 that links to the Microsoft Security Bulletin MS07-066 - Important. Basically, a vulnerability has been found that enables a trojan to elevate itself to full administrator without the user's knowledge, thereby gaining complete control of the system. (This is what they mean when they say that UAC is not a security boundary.)

While we are on the subject of vulnerabilities, here are some other oldies worth knowing about...

PC World published the article Vista's UAC Warnings Can't be Trusted, Symantec Says on February 22, 2007. Basically this is a vulnerability that tricks a user into thinking it is safe to elevate a process. It does this by tricking the system into displaying the trusted green elevation dialog that indicates that the elevation request is coming from a trusted Windows process rather than from an unknown process (that would be displayed with a yellow/orange title bar). You can see samples of the various elevation dialogs here: Getting Started with User Account Control on Windows Vista

That was followed up by on May 16, 2007 with the article Researcher Reveals 2-Step Vista UAC Hack. This article shows that the theoretical vulnerability found by Symantec could actually be exploited. Remember, that this exploit is a weakness in the design of UAC so it won't be patched like was done with the critical security update above. This is a good reminder that your user population should not be given administrator privileges unnecessarily.

While we're on the topic of weakness in UAC design, you will want to have a look at ZDNet's article Hacker, Microsoft duke it out over Vista design flaw posted February, 2007. It points out the compromises made to Vista's elevation procedures when it comes to installing legacy applications. It is important to note that Vista's requirement that you must be admin to install some of these applications is less secure than XP where sometimes you had the opportunity to install products with only basic user rights.

[EDIT 22/01/2008] George Ou who blogs on ZDNet wrote a thoughtful article discussing the link above. He spoke with the two parties involved and got some good insight. Read: What the UAC 'hole' is really about

I also found another article written from the perspective of third party Vista security vendors: Reports of Vista's security weakness 'overblown'

No comments: